• No results found

Preparing for the Convergence of Risk Management & Business Continuity

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Preparing for the Convergence of Risk Management & Business Continuity"

Copied!
37
0
0

Loading.... (view fulltext now)

Download now ( 37 Page )

Full text

(1)

Preparing for the Convergence of

Risk Management & Business Continuity

(2)

Today’s Presenter

Frank Perlmutter, CBCP

[email protected]

Former Manager of DR/COOP (BCP) and Risk

Manager for the U.S. Department of the Treasury

President & Co-Founder of Strategic BCP®,

creators of ResilienceONE® BCM Software

Managed BC, Risk, and Process Improvement

(3)

Background

Strategic BCP® established in 2004

– Purpose: elevate the productivity and relevance

of business continuity (BC) professionals

(4)

Webinar Focus Areas

Risk Management vs. Business Continuity

Risk Management Principles

Enterprise Risk Management- Practical Application

Operational Risk Management- Practical Application

(5)

Risk Management vs.

Business Continuity

(6)
(7)

Preventative Care vs. Reactive Approach

Analyzing the Risk &

Preventing It: Eat well,

exercise, and take vitamins

Reacting to the Risk: Get a

heart attack and get revived

Proactive vs. Reactive

BC Professionals unfortunately tend

to focus too much on the reaction

– Response, Recovery, Restoration

– Plan/Document-Centric

BC Professionals are better served

by concentrating adequate focus on

the proactive

(8)

Why the Convergence of BC and RM?

The convergence of BC and RM has already

occurred and continues to evolve

Regulations, frameworks, and standards reflect

a strong theme of management of risk

(9)

Preparation for Current Reality

Many BC Professionals are being left behind by

unrequited devotion to outdated methods

Strong plans do not necessarily equate to a strong

ability to actually recover and reduce impact.

This reduces

the value of the Professional that just focuses on plans

Risk Management has value to everyday

(10)

What is the Dominant Discipline?

There is an overlap of concepts between the two disciplines

– The Risk Assessment and Business Impact

Analysis are risk-based tools

– How they are implemented; the value they bring will designate

whether the process is a sound risk-based model or not

Risk Management as a discipline is generally leading the way

(11)

Risk Management Practice Areas

Business Continuity/

Incident Management

Internal Controls

Enterprise Risk

Operational Risk

Financial Risk

Information Technology Risk

Legal Risk

Third Party Risk

BOD/Ethics Risk

Environmental Risk

(12)

The Convergence/Overlap

NOW:

Business Continuity—

Business Impact Analysis and

Risk Assessment

Enterprise Risk

Operational Risk

Information Technology Risk

Financial Risk

Third Party Risk

FUTURE:

Internal Controls?

(13)

Risk Management Principles

(14)

What’s Available?

A sea of Risk Management regulations,

standards, and best practices

Business Continuity regulations, standards, and best

practices are similarly prevalent

There are similarities and guiding principles

throughout all of them

(15)

A Selection of RM Regulations,

Standards, Best Practices, Frameworks

• ISO 31000

• COSO Framework

OCEG GRC Capability Model (Red

Book)

FERMA 2002

ISO/IEC 31010

Basel II and Basel III

BS 25999-2:2007ISO

22301:2012

NFPA 1600: 2007/2010

Institute of Operational Risk

ISO 14001

ISO 27001

ISO 27005

NIST 800 Series

ITIL v.3

DRII/BCI

Dodd-Frank Wall Street

(16)

Focus on What Delivers Value

Regulations

– “Mandatory authoritative rules

dealing with details or

procedures having the force of

law, which are issued by and

authority of government”

Standards and Best Practices

– “Voluntary criteria, voluntary

guidelines and best practices

used to enhance the quality,

performance, reliability, and

consistency of products, services

and/or processes”

Our Guidance:

With so many mandatory

standards, we have seen that

most examiners and

executives are paying little

attention to voluntary

standards

Standards and best practices

(17)

The Mission of Risk Management

Operational Improvement: ability to identify and

remediate inefficiently operating processes that

may cause outages/impacts

Compliance: evidence of properly implemented standards

Resilience: ability to identify and remediate infrastructure

(18)

Overarching Principles of Risk Management

COSO provides an overall framework

and principles for Risk Management

COSO was originally housed in controls;

has moved to a strategic approach

Objectives appear at the top of the cube

The right side of cube shows that Risk

Management must be considered at all

levels of an organization

Risk management activities appear on

the front of the cube

(19)

Enterprise Risk Management-

Practical Application

(20)

Enterprise Risk vs. Operational Risk

Enterprise Risk Management focuses on mitigating events that

negatively impact an organization’s supporting infrastructure

– People, Facilities, Information Technology, Assets

– In BC Tool Terms: Risk Assessment, Risk Analysis, Hazard Vulnerability Analysis

Operational Risk Management focuses on mitigating vulnerabilities

in operational business processes

– In BC Tool Terms: Business Impact Analysis, Business Impact Assessment,

Downtime Impact Analysis

Both disciplines focus on managing risk by making decisions (strategic,

(21)

Establishing an Enterprise Risk Appetite

Core policy that defines decision-making

(Probability x Impact) – Mitigated Risk = Enterprise Risk

Organizations can set a risk appetite around

the factors or the overall risk

(22)

Performing an Enterprise Risk Assessment

An Enterprise Risk Assessment (ERA) identifies potential threats that may impact an

organization, and identifies measures to limit the probability or impact of these threats.

 Determine the threats to be included on your Enterprise Risk Assessment.

They revolve around your infrastructure.

 Research and evaluate each risk by probability and impact of occurrence

 Identify threats outside of the Risk Appetite of the organization

 Provide a mitigation plan with alternatives that show costs of the mitigation

measures and how much of the risk is reduced

(23)

Sample ERA Report

REDUCE

MITIGATE

Management Controls

Process Controls

Terminate

Activty

Eliminate Risk

Physical Controls

ACCEPT

TRANSFER

Insurance

Alternate

Vendors

Outsourcing

Updated

Strategic Alliances

 Once risks are quantified

, plot them on a grid as shown below.

This will help management decide how to deal with the risks

(Transfer, Accept, Reduce or Mitigate).

(24)

Operational Risk Management-

Practical Application

(25)

Operational RM and BC Crossing Paths

Operational Risk Management and BC MAY cross paths in

several places (if you perform these activities correctly)

– The Business Impact Analysis

– Mapping Normal Operations

The Business Impact Analysis provides a prioritization of

operational processes and linked supporting resources by

gauging impact (e.g. RTO’s)

Mapping (and understanding) normal operations is essential

(26)

Gathering OBJECTIVE Data is Critical

Your data should be based as much on FACT and as little on OPINION as

possible; Don’t use a subjective method

The Subjective “RTO”: Popular “Asking Method” Example

 Problem #1:

There are numerous impacts used to calculate an RTO; respondents

couldn’t possibly ANALYZE all scenarios in their heads

 Problem #2:

Respondents are not using a consistent scale to determine their RTO;

everyone calculates differently in their heads

 Problem #3:

Results reflect limited data integrity, making justification to executives and

auditors challenging

OBJECTIVE data gathering methods:

Provide a consistent scale for all respondents

(27)

Objective Risk-Based Method: Setup

 Start with gathering quantitative and qualitative factors

that reflect

the impact of taking down your operations

 Weight factors

as some may be more important than others

(28)

Objective Risk-Based Method: Data Gathering

 Establish a timeline

with time periods (i.e. your Recovery Timeframe

Objectives or RTO’s) over which you will measure impact

(29)

Objective Risk Based Method:

Prioritizing Operational Activities

# RTO Function UNDER 1

DAY 1 DAY 2 DAYS 3 DAYS 4 DAYS 5 DAYS 2 WEEKS 3 WEEKS 4 WEEKS 5 WEEKS

1 Immediately Process Deposits 32 48 48 48 64 64 64 64 64 88 2 Immediately Take Orders Via Phone 20 20 28 28 28 36 36 36 44 44 3 1 DAY Reconciliation- Beginning of Day 0 0 32 32 40 40 48 48 56 64 4 2 DAYS Reconciliation- End of Day 0 0 0 8 8 8 8 8 8 8

• METRIC:

By Total Impact

 Add total

for each time period

together

 Provides aggregate risk

over

the entire time period

• METRIC:

By RTO

 Set a prioritization

of activities by time period

 Set a points limit

for your maximum level of

acceptable risk. This is your organizational risk

appetite.

 When totals in a time period first exceed that

limit,

your maximum timeframe is the time

(30)

Setting a Risk Appetite: Operational Risk Modeling

Timeframe # of Functions (x=6) # of Functions (x=12) # of Functions (x=18) Tier

Immediately 4 1 1 Critical 1 HOUR 2 3 0 Critical 8 HOURS 7 4 2 Critical 12 HOURS 2 1 3 Critical 1 DAY 17 7 2 Critical 2 DAYS 24 4 3 Critical 3 DAYS 9 4 2 Necessary 4 DAYS 14 4 1 Necessary 1 WEEK 8 4 1 Necessary 2 WEEKS 8 32 52 Optional > 2 WEEKS 4 35 31 Optional

a) X = 6 points 56% are in the one week timeframe (high risk tolerance, strong recovery capability)

b) X =12 points 32% are in the one week timeframe (mean risk tolerance)

(31)

Understanding Operations is Essential

(32)

Reengineering Operations

“Are there any inefficiencies or vulnerabilities

in the highest value activities?”

 Provide a process mapping

(i.e. a standard operating procedure)

for each of the highest value activities

 Notice manual steps

and repeated activities

 Provide roadmap

to investigating automation solutions

(33)

People

(34)

Reviewing Supporting Operational Infrastructure

“Are there any inefficiencies or vulnerabilities

in the highest value operational infrastructure?”

 Establish an expertise

in one or more areas and spot risks

and vulnerabilities

• What are some common risks and vulnerabilities in these areas?

 Offer cost effective/high value

mitigation alternatives

• Over/under utilization of resources

(35)

RED FLAGS:

Spotting BCM/RM Tools and Methods

That Lead Users Down the Wrong Path

Poor Reporting and Analytics

– Focus on paper planning

– Limited custom reporting or extensive reporting setup

– Output very similar to input

Subjective Data Gathering Methods

– Long questionnaires that ASK USERS to calculate risk; system should

provide detailed calculations

– Excessive narrative justification of risk measurements

(36)
(37)

Wrap-Up

For more insights:

Contact Frank Perlmutter, CBCP

[email protected]

Visit

www.strategicBCP.com

References

Download now ( PDF - 37 Page - 1.58 MB )

Related documents

Transportation of hazardous materials via pipeline. A historical overview

The main causes of release, for each type of material transported, have also been identified and quantified in terms of relative occurrence: the main cause of release was found to

The New Rules of Deliverability: 2011 and Beyond

With all the deliverability changes in 2010, many email marketers are wondering how recent developments like engagement filtering have affected current email authentication systems

Sibling placement in foster care: exploring the context and possibility of sibling separation

Research based primarily on mixed methods of quantitative and quantitative aspects was undertaken and a small online survey conducted exploring: the experiences of foster

Using Moodle E-learning Platform to Foster Student Self-directed Learning: Experiences with Utilization of the Software in Undergraduate Nursing Courses in a Middle Eastern University

To effectively motivate and enhance SDL in students, Knowles (1975, p. 35) argues that teachers as facilitators of learning need to create learning environments that are conducive

Discrimination and Mental Health Among Sexual Minority College Students: The Type and Form of Discrimination Does Matter

To advance understanding of how various aspects of the college cam- pus climate are associated with mental health outcomes, specifically anxiety and depression, among sexual

Safety and Feasibility of a Novel Sparse Optical Coherence Tomography Device for Patient-Delivered Retina Home Monitoring

Purpose: To study a novel and fast optical coherence tomography (OCT) device for home-based monitoring in age-related macular degeneration (AMD) in a small sample yielding sparse

The Influences on K-2 Teachers\u27 Approaches Towards Assessment and Developmentally Appropriate Practice

The purpose of this study was to use a constructivist grounded theory approach to address the overarching question: How do K-2 teachers come to their conceptualizations

Therapeutic potential of N-acetyl cysteine (NAC) in preventing cytokine storm in COVID-19: review of current evidence

The pathogenesis of the cytokine storm and the action of NAC (COVID-19 causes increased ROS production and immune activation which in turn leads to cytokine storm in